You already know that AWS CloudFormation is a powerful tool for provisioning and managing your AWS infrastructure, but did you know that it can also provision and manage resources outside of AWS? Did you know that CloudFormation can fully bootstrap your EC2 instances, securely download data from S3, and even supports Mustache templates? In this session you will go on a deep dive, touring of some of CloudFormation's most advanced features with a member of the team that built the service. Explore custom resources, cfn-init, S3 authentication, and Mustache templates in a series of technical demos with code samples available for download afterwards.
3. This talk will not answer that question
• DMG201 - Zero to Sixty: AWS
CloudFormation
– Has already happened, but will be available online
• Hands-on Labs
– Working with CloudFormation
– Launching and Managing a Web Application with
CloudFormation
– Creating an Amazon Virtual Private Cloud (VPC) with
CloudFormation
4. This talk will answer these questions:
•
•
•
•
What is a custom resource?
What can they do for me?
How do I write one for myself?
What’s new in cfn-init?
6. What can custom resources do?
•
•
•
•
Add New Resources
Interact with the CloudFormation Workflow
Inject dynamic data into a stack
Extend the capabilities of existing resources
7. What is a custom resource?
• An SNS topic…
• …hooked up to a service that can:
– Respond to JSON messages from CloudFormation
– Manage the lifecycle of resources
11. What can custom resources do?
•
•
•
•
Add New Resources
Interact with the CloudFormation Workflow
Inject dynamic data into a stack
Extend the capabilities of existing resources
12. Adding New Resources
• Something that can be Created, Updated,
and/or Deleted
• Can be a software resource
– Database schema, Docker container
13. Meet Steve
• Steve loves RDBMS
• The schema is very
important to Steve – it
defines his application
• Running SQL scripts by
hand is Steve’s worst
nightmare
14. Steve’s requirements
• The Template should
define the schema
explicitly
• The schema should be
updated by updating the
stack
• If the update fails, the
schema should roll back
15. Steve’s solution
• Steve is very familiar with
Liquibase
• Liquibase supports JSON
formatting!
• Steve writes a custom
resource with inline JSON
schema
19. What can custom resources do?
•
•
•
•
Add New Resources
Interact with the CloudFormation Workflow
Inject dynamic data into a stack
Extend the capabilities of existing resources
20. Interacting with the CloudFormation
Workflow
• Use custom resources as a hook into
create/update/delete workflows
• Built-in example: WaitCondition
• Can react to workflow, halt it, or fail it under
certain conditions
21. Meet Frank
• Frank analyzes data
stored on EBS
• Frank uses
CloudFormation’s
Snapshot on Delete
feature to save his
analysis results
22. Frank’s requirements
• Frank wants a consistent
EBS snapshot when the
stack is deleted
• Before CloudFormation
attempts to detach his EBS
volume, it should:
– Cleanly shut down his
analysis service
– Unmount the volume
23. Why is this a challenge?
• CloudFormation can detach volumes without
any issues – if you never mount them
• What CloudFormation does not do, it cannot
undo
• Custom resources let you model your steps
within the workflow
24. Frank’s solution
• 3 simple bash scripts
• A “local” Custom
Resource – runs directly
on the instance
• Create and Update mount
the drive; Delete
unmounts it.
30. What can custom resources do?
•
•
•
•
Add New Resources
Interact with the CloudFormation Workflow
Inject dynamic data into a stack
Extend the capabilities of existing resources
31. Injecting Dynamic Data into a Stack
• Parameters are standard route into a stack
– Allow free-form user input
– Constrainable, but on a per-stack level
• Mappings are traditionally used to map humanreadable input to static values
– AMI IDs, instance type architectures, regional URLs
32. Injecting Data into a Stack
• Custom resources allow for centralized selection
logic
• Lookups in:
–
–
–
–
S3
DynamoDB/RDS
APIs (EC2.DescribeImages, etc)
Third Party datastore
33. Meet Bill
• Bill is the head of operations
at a large tech firm
• Each of Bill’s 44 services
must run on a fully validated
and tested AMI
• Bill keeps track of these
AMIs in a sweet multitabbed Excel spreadsheet
34. Bill’s requirements
• New AMIs should be
rolled out centrally
• Bill does not want to edit
the Mappings section of
44 templates for every
release
• Bill wants to audit where
AMIs are being used
35. Bill’s solution
• A manifest of named,
approved AMIs stored in a
versioned S3 file
• A simple python script that
looks up the AMI ID by
region and os,
architecture, and version
40. What can custom resources do?
•
•
•
•
Add New Resources
Interact with the CloudFormation Workflow
Inject dynamic data into a stack
Extend the capabilities of existing resources
41. Extending Resource Capabilities
• CloudFormation is concerned only with Create,
Update, and Delete
• Some services, like AutoScaling, have lifecycles
outside of these phases
• No place in template to encapsulate longrunning, resource-based business logic
42. Meet Tom
• Tom manages a fleet of
virtual desktops in AWS
• Tom uses AutoScaling for
consistent fleet size
• Tom’s users use VNC to
connect to their virtual
desktops
43. Tom’s requirements
• Servers should be named
using his clever, easy-toremember Simpsons
scheme
• Names should be
recycled as machines are
replaced
44. Tom’s solution
• Python scripts respond to
Auto Scaling notifications
to manage Route53
records
• Names are managed in a
simple DynamoDB table
50. Building Your Own Custom Resource
• Write code to respond to Create, Update, and
Delete events
• Route Custom Resource SNS Topic to an SQS
Queue for maximum fault tolerance
51. Can you give me a diagram?
CloudFormation Stack Workflow starts building Custom Resource
CloudFormation sends CREATE notification to Custom Resource
Custom Resource creates resource and returns JSON message
CloudFormation processes JSON message and stores result
Stack workflow continues
Other resources access Custom Resource attributes via GetAtt and Ref
52. How about an architectural overview?
SQS Queue
Custom Resource Topic
AWS CloudFormation
Custom Resource
Implementation
Auto scaling Group
Region
53. Can you add VPC?
Custom Resource Topic
SQS Queue
AWS CloudFormation
Custom Resource
Implementation
Region
VPN
Existing Service
Corporate Data center
54. What makes for a good resource?
• Good resources are: idempotent
– One unique request, n times == one unique response
• Immediately usable when complete
• Can be deleted cleanly from any state
• Represent one standalone piece of functionality
– Embedded resources look convenient, but are hard to update
– Elastic Load Balancers embed Policies, which can depend on
each other, yet this is not modeled in the template
55. You keep telling me it’s simple…
• It’s really simple if you use aws-cfn-resourcebridge
• Cross-platform hook-based daemon
• Simply supply scripts for Create, Update, and
Delete
• Open source (Apache 2.0)
• Install or fork from https://github.com/aws/awscfn-resource-bridge
56. Example Code
• All examples from this talk are available at
https://github.com/awslabs/aws-cfn-customresource-examples
• Stealing from others is the easiest way to get
started
– And the best way to use CloudFormation!
58. cfn-init
• Simple library for “getting bits on the box”
• Install packages, download files, start services
• Works on Windows, Linux, and any platform with
Python 2.6, 2.7
59. {{cfn-init}}
•
•
•
•
Fn::Join can be hard to follow
Many configuration files are largely boilerplate
Files can process Mustache templates
Simply add context
67. Roleplaying
• cfn-init can use roles to download from S3
• Secured files are not just for proprietary code
– Non-AWS credentials
– Private service endpoints
– Dynamic code (enabling or disabling features)
71. cfn-hup
•
•
•
•
Not new, but not often used in samples
Installed in same package as cfn-init
Available as Linux and Windows service
Listens for changes to the stack and runs scripts
when they occur
– Usually just runs or re-runs cfn-init
72. Custom Resources vs. cfn-hup
• Custom Resources require an SNS topic, and
usually an SQS queue
• cfn-hup cannot interact with CloudFormation
workflow
– Workflow will not wait for cfn-hup
– cfn-hup cannot fail workflow
– cfn-hup cannot inject data into stack
73. Summary
• Custom Resources let you extend
CloudFormation beyond the existing Resource
Library
• For more than just “things that can be created”
• cfn-init lets you use Mustache and Roles to
create simple, secure configuration
74. Corner us in the Developer Lounge
Adam Thomas
DJ Edwards
75. Please give us your feedback on this
presentation
DMG303 - AWS CloudFormation Under the Hood
As a thank you, we will select prize
winners daily for completed surveys!